Main Street America: A Vulnerable Target for Cyber Attack

Cyber risk affects everyone. There’s not a business small or simple enough to escape its reach. If you handle personally identifiable information on behalf of employees or customers, use a computer to conduct business, or work with a vendor that does, your company is exposed.

Small businesses that make up Main Street America, however, continually underestimate their risk. These are the local food markets, ice cream shops and hardware stores; independent legal and consulting firms; preschools and small nonprofits that underpin community economies.

Sixty-one percent of businesses in this sector suffered a cyber attack in 2017, yet only 25 percent had sufficient cyber insurance coverage, according to Ponemon Institute’s “2017 State of Cyber Security in Small & Medium-Sized Businesses.” Even fewer – 22 percent – were taking steps to protect themselves by encrypting private employee and customer data.

Addressing the coverage gap requires two steps. First, small business owners need to better understand the type and extent of their cyber exposure. Second, their insurer and broker partners need to proactively educate this sector about the risk transfer solutions available to them.

The Many Forms of Cyber Risk

Betty Shepherd, Divisional Senior Vice President

“Cyber risk refers to the financial consequences a business has in the face of a network security breach or a breach of private information in their care, custody or control,” said Betty Shepherd, Divisional Senior Vice President, Great American Insurance Group.

“This risk can manifest itself in several forms, but the majority comes down to data. It’s important to analyze how data flows through your organization to determine your exposure.”

A network security breach can include anyone gaining unauthorized access to a company’s systems and/or data. A network breach may or may not result in a privacy beach, in which an unauthorized person gains access to personal identifiable information (PII) like credit card numbers, Social Security numbers, addresses or other sensitive data. A network breach can cause business interruption, data loss or even an extortion event.

Possible theft of PII triggers a host of extra expenses. All 50 states now require businesses to report cyber breaches involving PII to affected individuals as well as regulators. An organization may need to conduct forensic investigation to determine what — if anything— was accessed or stolen. Affected companies may also offer ongoing credit monitoring services to affected customers if financial information was divulged.

“In states with notification requirements, data owners are legally obligated to notify an individual if their private information has been breached or thought to be accessed in an unauthorized manner,” Shepherd said.

“Many small businesses believe this obligation falls to their third-party data processors, such as payment processors handling credit card data, or outsourced accounting functions administering payroll, for example. But that is not the case. Care of that data remains the responsibility of the business that collected it.”

Cyber extortion in the form of ransomware has grown increasingly common as a way for thieves to make off with small sums. Many companies would rather pay an affordable ransom and regain system access quickly than battle with an unknown assailant.

Denial of service attacks can cause financial harm via business interruption and lost income.

Third-party liability also enters the picture if the data belonging to a vendor or other business associate is unlawfully accessed, stolen or corrupted.

“An affected third party could file a claim against you if your network is determined to be the source of malware or the entry point for a cyber thief, thus enabling the compromise of the third party’s network,” Shepherd said.

Business owners should also keep in mind that paper trails are as important to safeguard as digital ones.

“People also tend to forget that cyber risk extends to paper files as well as electronic. Data is data,” Shepherd said. “Physical documents that contain sensitive information are still an exposure. Failing to properly store and/or dispose of that paper may open a company up to the same liability as if a computer system gets hacked.”

More often than not, carelessness on the part of employees — rather than a malicious hacker — is the cause of network security failure. Unwittingly clicking on a link or attachment within a phishing email, for example, can plant malware without any overt indication. Mobile devices used for work can be stolen or lost. Papers casually tossed in the trash are easy targets for theft.

“Understanding where cyber risk comes from is the first step of risk mitigation,” Shepherd said.

Developing a Risk Management Strategy

Once a business pinpoints where its exposure lies, it can take specific steps to strengthen vulnerabilities. Encrypting data renders it useless to a cyber thief. Storing sensitive documents in a locked cabinet and enforcing proper disposal protocols reduces the risk that they’ll fall into the wrong hands. Installing firewalls and dual-authentication processes can enhance network security.

But advancing technology and increasingly sophisticated hackers make it nearly impossible to build ironclad defenses against cyber risk. This is why adequate cyber insurance is critical in helping small companies stay up and running in the aftermath of a breach.

Parsing through the insurance options available, though, can be difficult even for large corporations with more cyber expertise. Lots of overlap exists among current products on the market. General liability, E&O and fidelity products may have some cyber component built in but may not offer all the coverages a company needs. Still, some small businesses can find it costly to purchase a standalone cyber policy.

“There are many policy variations, and there’s no single form on the market that will cover every cyber peril,” Shepherd said. “The appropriate solution depends on the nature of your exposure.”

A pizzeria, for example, can still make pies and accept cash payments if their point-of-sale system goes down, so its management team is less concerned about business interruption expenses. A manufacturer, on the other hand, may suffer a total lapse in operations if their industrial network is compromised. A consulting firm is likely to have staff working remotely and may need specific coverage for mobile devices more so than a clothing boutique. But the boutique will transact a larger volume of credit card data and may be more concerned with breach notification and remediation costs.

Expertise to Craft Custom Solutions

Insurers with expertise in cyber risk can offer the tailored solutions that small businesses need.

Great American offers a modular policy format with a menu of insuring agreements, including security breach liability and expenses, cyber extortion threats, funds transfer fraud, replacement or restoration of electronic data, and public relations expenses, among others.

“A Great American policy includes the third-party liability exposure inherent in many network security and privacy breaches as well as the first-party exposure like breach notification, investigation and credit monitoring expenses,” Shepherd said. “We also have separate coverage available for public relations services to help an organization mitigate reputational damage in the event they experience negative publicity following a breach.”

Great American policyholders also have access to a web portal offering informational resources like whitepapers, as well as breach calculators and referrals for security, forensic investigation and legal firms.

Great American has focused its cyber expertise on the needs of small- to medium-sized companies, underwriting businesses with up to $250 million in annual revenue.

“Every organization has a cyber risk exposure, but we’re not looking to underwrite everyone. We’re dedicated to the unique needs of small- and mid-size organizations,” Shepherd said. “We will continue to educate and serve this sector as the risk and exposures evolves.”

Great American Insurance Group, 301 E. Fourth St., Cincinnati, OH 45202. Policies are underwritten by Great American Insurance Company, Great American Assurance Company, Great American Alliance Insurance Company, Great American Insurance Company of New York, Great American Security Insurance Company, and Great American Spirit Insurance Company, authorized insurers in all 50 states and the DC.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Great American Insurance Group. The editorial staff of Risk & Insurance had no role in its preparation.

Great American’s innovative insurance solutions and specialization serves niche marketplaces that we know well, giving us a successful foundation that spans generations.

You conducted a feasibility study before forming your captive, establishing long term goals and objectives, determining which risks to write, where to domicile, and how to finance it all.

But that was five years ago.

Since then, your company has made two acquisitions, expanded its workforce, implemented new technology, contracted with new suppliers, and been affected by a new federal regulation. In short, the risk profile has changed considerably.

Is your captive keeping up?

“As with all other business matters, your company’s captive needs and goals are likely to change over time, especially with new and emerging risks sprouting up frequently,” said Karin Landry, managing partner, Spring Consulting Group.

“We recommend a ‘refeasibility’ study at least every five years to reassess risk appetite and exposure.”

A ‘refeasibility’ study ensures your captive insurance company is still serving your organization’s needs and furthering its mission, rather than holding it back. Unlike the initial feasibility study, this periodic checkup must consider your existing captive structure and financing strategies, and take into account how the captive has performed thus far.

To gain a holistic view of your captive’s performance and evaluate the need for change, captive owners should ask themselves these five questions:

1. Do your captive’s goals align with your risk profile?

Karin Landry, Managing Partner, Spring Consulting Group

Evaluating your captive’s goals in the first step of a refeasibility plan. And that begins with collection of data. Claims experience, reserve and surplus levels, loss ratios and other measures of efficiency indicate how successfully the captive has operated and where it has underperformed.

This indicates whether it has met initial goals, and whether those goals should change. This decision is also largely dependent on changes in the insured organization’s risk profile and the subsequent impact on insurance needs.

Moving employee benefits into a captive may be a more efficient way to provide coverage for a larger payroll. Greater reliance on automation or IoT technology may likewise increase the need for cyber coverage tailored to an organization’s specific needs.

“Emerging risks should be considered in this assessment,” Landry said. “For example, new technologies like driverless cars and drones and increasing automation will create both risks and opportunities across various industries.”

Performance metrics can help risk managers identify areas where resources can be shifted to support the coverage needs demanded by organizational change and emerging risks.

2. How will proposed changes impact other parts of the captive company?

The second stage of the study considers how adjustments to long term goals affect other pieces of the captive puzzle, such risk financing and use of reinsurance.

Adding new lines of coverage or expanding or reducing existing ones will necessitate an evaluation of risk financing strategies and could lead to changes in an organization’s investment mix or retention levels. This may also impact reliance on reinsurance as a component of the overall risk transfer strategy.

The best way to pinpoint the extent to which these changes should be made, Landry said, is through stress-testing.

“Running through scenarios with reasonable adverse case outcomes highlight where more or less financing is needed to service claims and maintain favorable loss ratios,” Landry said.

3. What specific implementation strategies will make your changes stick?

As with any enterprise-wide change, a detailed roadmap lays the groundwork for successful outcomes and can gain the confidence of stakeholders.

This stage identifies lines of insurance that could be moved into the captive or other coverages that would be more cost effective to insure through the traditional insurance market. Along with cyber and employee benefits, some of the most common risks to insure in captives include professional liability, auto liability, reputation, and business interruption.

Capital management strategies should also specify how surplus will be used going forward.

“There are several considerations in appropriately managing the capital and surplus levels over the life of a captive, including average cost of capital, retention levels, reinsurance use and taxes, among others,” Landry said. “A team of actuaries and consultants could review and develop strategy to address these.”

4. Does your existing captive structure still work?

Captives have taken on a number of different forms since their inception — single parent, group/association, rental captives, sponsored captives, non-controlled foreign corporations, etc. The primary differences between these structures center on the way risk is shared among the parties involved and how the captive is financed and regulated.

Sponsored captives, for example, offer a way for companies to take advantage of the established infrastructure of a traditional insurer and avoid the upfront costs of forming a captive — though they are not accepted in all domiciles. Group captives allow companies with unrelated risks to spread out their exposure and reduce their total cost of risk, but can present management challenges.

A captive’s domicile, the scope of risk it seeks to cover, and the financial strength of its parent company all help to determine which structure will work best.

5. Does your captive account for recent case law and regulations?

The technology industry isn’t the only one that is always changing. Laws, regulations and court cases, especially lately, have an impact on captives and need to be considered as you are taking a fresh look at your strategy.

Firstly, there’s tax reform. The tax rate reduction under the Trump administration has had a direct impact on captives, and a consolidated tax return that includes a captive insurance company should have its tax sharing agreement reviewed.

Further, payments to a foreign captive should be reviewed to determine if the Base Erosion Anti-Abuse Tax (BEAT) is applicable, and anyone in the U.S. with an owner’s interest in a foreign insurance company needs to review their holdings. IRS Notice 2016-66 with respect to microcaptives should also be considered, which leads us to our next point.

In light of two recent court cases – Avrahami vs. Commissioner and Reserve Mech. Corp. v. Commissioner – we now have more insight into what the IRS believes to be the criteria for a bona fide insurance company. As a result, we recommend going through a checklist of sorts to ensure the following regarding your captive:

Is the captive created for a non-tax business reason?

Is comparable coverage available in the market?

Are the policies valid and binding?

Domicile-related regulations are also changing. Is yours compliant with your current domicile, and have you looked at the new domiciles available? Lastly, it’s imperative to take a look at the Dodd Frank Act, specifically the self-procurement tax to ensure your captive is appropriately aligned.

6. Are the changes having the effect they’re supposed to?

You’ve identified new opportunities for your captive, supported proposed changes with data and stakeholder feedback, and developed detailed and holistic plans to move forward. But you’re not done.

The final step of any refeasibility study is to measure outcomes. Collect data again to see if newly established goals are being met and how the rest of the captive organization has been impacted.

“A great deal of this stage relies on solid industry benchmarks against which to measure current and future captive performance,” Landry said. “Furthermore, it’s important that the optimization team takes this data and edits their implementation plan accordingly to keep captive performance on track, making actionable recommendations for staff to follow.”

To execute your plan, turn to expert help

“These findings should serve as a baseline for measurement going forward,” Landry said. But look for a team of experts ranging from employee benefits, risk management and actuarial services to walk you through the steps and, ultimately, implementation. This is especially important as new risks continue to emerge and evolve; routine maintenance on your captive is important, just like it is on your car!

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Spring Consulting Group. The editorial staff of Risk & Insurance had no role in its preparation.

Spring Consulting Group, an Alera Group Company, LLC is a Boston-based employee benefits, risk management and actuarial consulting firm with clients across the globe.

A growing number of Americans earn their living in the gig economy without employer-provided benefits and protections such as workers’ compensation.

Advertisement

With the proliferation of on-demand services powered by digital platforms, questions surrounding who does and does not actually work in the gig economy continue to vex stakeholders. Courts and legislators are being asked to decide what constitutes an employee and what constitutes an independent contractor, or gig worker.

The issues are how the worker is paid and who controls the work process, said Bobby Bollinger, a North Carolina attorney specializing in workers’ compensation law with a client roster in the trucking industry.

The common law test, he said, the same one the IRS uses, considers “whose tools and whose materials are used. Whether the employer is telling the worker how to do the job on a minute-to-minute basis. Whether the worker is paid by the hour or by the job. Whether he’s free to work for someone else.”

Legal challenges have occurred, starting with lawsuits against transportation network companies (TNCs) like Uber and Lyft. Several court cases in recent years have come down on the side of allowing such companies to continue classifying drivers as independent contractors.

Those decisions are significant for TNCs, because the gig model relies on the lower labor cost of independent contractors. Classification as an employee adds at least 30 percent to labor costs.

The issues lie with how a worker is paid and who controls the work process. — Bobby Bollinger, a North Carolina attorney

However, a March 2018 California Supreme Court ruling in a case involving delivery drivers for Dynamex went the other way. The Dynamex decision places heavy emphasis on whether the worker is performing a core function of the business.

Under the Dynamex court’s standard, an electrician called to fix a wiring problem at an Uber office would be considered a general contractor. But a driver providing rides to customers would be part of the company’s central mission and therefore an employee.

Despite the California ruling, a Philadelphia court a month later declined to follow suit, ruling that Uber’s limousine drivers are independent contractors, not employees. So a definitive answer remains elusive.

The motive for companies seeking the contractor definition is clear: They don’t have to pay for benefits, said Meneghello. “But from a legal perspective, it’s not so easy to turn the workforce into contractors.”

“My concern is for individuals who believe they’re covered under workers’ compensation, have an injury, try to file a claim and find they’re not covered in the eyes of the state.” — Matt Zender, vice president, workers’ compensation product manager, AmTrust

It’s about to get easier, however. In 2016, Handy — which is being sued in five states for misclassification of workers — drafted a N.Y. bill to establish a program where gig-economy companies would pay 2.5 percent of workers’ income into individual health savings accounts, yet would classify them as independent contractors.

Unions and worker advocacy groups argue the program would rob workers of rights and protections. So Handy moved on to eight other states where it would be more likely to win.

Advertisement

So far, the Handy bills have passed one house of the legislature in Georgia and Colorado; passed both houses in Iowa and Tennessee; and been signed into law in Kentucky, Utah and Indiana. A similar bill was also introduced in Alabama.

The bills’ language says all workers who find jobs through a website or mobile app are independent contractors, as long as the company running the digital platform does not control schedules, prohibit them from working elsewhere and meets other criteria. Two bills exclude transportation network companies such as Uber.

These laws could have far-reaching consequences. Traditional service companies will struggle to compete with start-ups paying minimal labor costs.

Opponents warn that the Handy bills are so broad that a service company need only launch an app for customers to contract services, and they’d be free to re-classify their employees as independent contractors — leaving workers without social security, health insurance or the protections of unemployment insurance or workers’ comp.

That could destabilize social safety nets as well as shrink available workers’ comp premiums.

A New Classification

Independent contractors need to buy their own insurance, including workers’ compensation. But many don’t, said Hart Brown, executive vice president, COO, Firestorm. They may not realize that in the case of an accident, their personal car and health insurance won’t engage, Brown said.

Workers’ compensation for gig workers can be hard to find. Some state-sponsored funds provide self-employed contractors’ coverage. Policies can be expensive though in some high-risk occupations, such as roofing, said Bollinger.

The gig system, where a worker does several different jobs for several different companies, breaks down without portable benefits, said Brown. Portable benefits would follow workers from one workplace engagement to another.

What a portable benefits program would look like is unclear, he said, but some combination of employers, independent contractors and intermediaries (such as a digital platform business or staffing agency) would contribute to the program based on a percentage of each transaction.

There is movement toward portable benefits legislation. The Aspen Institute proposed portable benefits where companies contribute to workers’ benefits based on how much an employee works for them. Uber and SEI together proposed a portable benefits bill to the Washington State Legislature.

Meneghello is skeptical of portable benefits as a long-term solution. “They’re a good first step,” he said, “but they paper over the problem. We need a new category of workers.”

A portable benefits model would open opportunities for the growing Insurtech market. Brad Smith, CEO, Intuit, estimates the gig economy to be about 34 percent of the workforce in 2018, growing to 43 percent by 2020.

The insurance industry reinvented itself from a risk transfer mechanism to a risk management mechanism, Brown said, and now it’s reinventing itself again as risk educator to a new hybrid market. &

Susannah Levine writes about health care, education and technology. She can be reached at [email protected] Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

Cookies

We use cookies to ensure we give you the best experience on our site. By continuing to use our site without changing your settings, you're agreeing to our cookie policy. Click to view our cookie policy.